The Top 20 Free Network Monitoring and Analysis Tools for Sys Admins

We know how administrators love free tools that make their life easier. Here are 20 of the best free tools for monitoring devices, services, ports or protocols and analyzing traffic on your network. Even if you may have heard of some of these tools before, we’re sure you’ll find a gem or two amongst this list – and if you know of any others, leave us a comment below!

Microsoft Network Monitor is a packet analyzer that allows you to capture, view and analyze network traffic. This tool is handy for troubleshooting network problems and applications on the network. Main features include support for over 300 public and Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic, amongst others.

When you launch Microsoft Network Monitor, choose which adapter to bind to from the main window and then click “New Capture” to initiate a new capture tab. Within the Capture tab, click “Capture Settings” to change filter options, adapter options, or global settings accordingly and then hit “Start” to initiate the packet capture process.

Nagios is a powerful network monitoring tool that helps you to ensure that your critical systems, applications and services are always up and running. It provides features such as alerting, event handling and reporting. The Nagios Core is the heart of the application that contains the core monitoring engine and a basic web UI. On top of the Nagios Core, you are able to implement plugins that will allow you to monitor services, applications, and metrics, a chosen frontend as well as add-ons for data visualisation, graphs, load distribution, and MySQL database support, amongst others.

Tip: If you want to try out Nagios without needing to install and configure it from scratch, download Nagios XI from here and enable the free version. Nagios XI is the pre-configured enterprise class version built upon Nagios Core and is backed by a commercial company that offers support and additional features such as more plugins and advanced reporting.

Note: The free version of Nagios XI is ideal for smaller environments and will monitor up to seven nodes.

Once you’ve installed and configured Nagios, launch the Web UI and begin to configure host groups and service groups. Once Nagios has had some time to monitor the status of the specified hosts and services, it can start to paint a picture of what the health of your systems look like.

OpenNMS is an open source enterprise grade network management application that offers automated discovery, event and notification management, performance measurement, and service assurance features. OpenNMS includes a client app for the iPhone, iPad or iPod Touch for on-the-go access, giving you the ability to view outages, nodes, alarms and add an interface to monitor.

Once you successfully login to the OpenNMS web UI, use the dashboard to get a quick ‘snapshot view’ of any outages, alarms or notifications. You can drill down and get more information about any of these sections from the Status drop down menu. The Reports section allows you to generate reports to send by e-mail or download as a PDF.

Advanced IP Scanner is a fast and easy to use network scanner that detects any network devices (including wireless devices such as mobile phones, printers and WIFI routers) on your network. It allows you to connect to common services such as HTTP, FTP and shared folders if they are enabled on the remote machine. You are also able to wake up and shut down remote computers.

The installer allows you to fully install the application on your machine or run the portable version. When you launch Advanced IP Scanner, start by going to Settings > Options to select which resources to scan and how fast/accurate you want the results to be. You can then choose which subnet to scan and proceed with pressing the “Scan” button. Once the scan is complete, expand the results to see which resources you are able to connect to for each discovered device.

Capsa Free is a network analyzer that allows you to monitor network traffic, troubleshoot network issues and analyze packets. Features include support for over 300 network protocols (including the ability to create and customize protocols), MSN and Yahoo Messenger filters, email monitor and auto-save, and customizable reports and dashboards.

When you launch Capsa, choose the adapter you want it to bind to and click “Start” to initiate the capture process. Use the tabs in the main window to view the dashboard, a summary of the traffic statistics, the TCP/UDP conversations, as well as packet analysis.

Fiddler is a web debugging tool that captures HTTP traffic between chosen computers and the Internet. It allows you to analyze incoming and outgoing data to monitor and modify requests and responses before they hit the browser. Fiddler gives you extremely detailed information about HTTP traffic and can be used for testing the performance of your websites or security testing of your web applications (e.g. Fiddler can decrypt HTTPS traffic).

When you launch Fiddler, HTTP traffic will start to be captured automatically. To toggle traffic capturing, hit F12. You can choose which processes you wish to capture HTTP traffic for by clicking on “All Processes” in the bottom status bar, or by dragging the “Any Process” icon from the top menu bar onto an open application.

NetworkMiner captures network packets and then parses the data to extract files and images, helping you to reconstruct events that a user has taken on the network – it can also do this by parsing a pre-captured PCAP file. You can enter keywords which will be highlighted as network packets are being captured. NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT) that can obtain information such as hostname, operating system and open ports from hosts.

In the example above, I set NetworkMiner to capture packets, opened a web browser and searched for “soccer” as a keyword on Google Images. The images displayed in the Images tab are what I saw during my browser session.

When you load NetworkMiner, choose a network adapter to bind to and hit the “Start” button to initiate the packet capture process.

Pandora FMS is a performance monitoring, network monitoring and availability management tool that keeps an eye on servers, applications and communications. It has an advanced event correlation system that allows you to create alerts based on events from different sources and notify administrators before an issue escalates.

When you login to the Pandora FMS Web UI, start by going to the ‘Agent detail’ and ‘Services’ node from the left hand navigation pane. From here, you can configure monitoring agents and services.

Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers, storage, networking and virtualization to provide availability and performance statistics. It also has a high performance event handling system and an advanced notification system.

Once you login to Zenoss Core Web UI for the first time, you are presented with a two-step wizard that asks you to create user accounts and add your first few devices / hosts to monitor. You are then taken directly to the Dashboard tab. Use the Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss Core and review reports and events that need attention.

PRTG Network Monitor monitors network availability and network usage using a variety of protocols including SNMP, Netflow and WMI. It is a powerful tool that offers an easy to use web-based interface and apps for iOS and Android. Amongst others, PRTG Network Monitor’s key features include:

(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format, scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and report templates.

Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.

When you launch PRTG Network Monitor, head straight to the configuration wizard to get started. This wizard will run you through the main configuration settings required to get the application up and running, including the adding of servers to monitors and which sensors to use.

The Dude is a network monitoring tool that monitors devices and alerts you when there is a problem. It can also automatically scan all devices on a given subnet and then draw and layout a map of your network.

When you launch The Dude, you first choose to connect to a local or remote network and specify credentials accordingly. Click ‘Settings’ to configure options for SNMP, Polling, Syslog and Reports.

Splunk is a data collection and analysis platform that allows you to monitor, gather and analyze data from different sources on your network (e.g. event logs, devices, services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is wrong or use Splunk’s extensive search, reporting and dashboard features to make the most of the collected data. Splunk also allows you to install ‘Apps’ to extend system functionality.

Note: When you first download and install Splunk, it automatically installs the Enterprise version for you to trial for 60 days before switching to the Free version. To switch to the Free version straight away, go to Manager > Licensing.

When you login to the Splunk web UI for the first time, add a data source and configure your indexes to get started. Once you do this you can then create reports, build dashboards, and search and analyze data.

Angry IP Scanner is standalone application that facilitates IP address and port scanning. It is used to scan a range of IP addresses to find hosts that are alive and obtain information about them (including MAC address, open ports, hostname, ping time, NetBios information, etc).

When you execute the application, go to Tools > Preferences to configure Scanning and Port options, then go to Tools > Fetchers to choose what information to gather from each scanned IP address.

Icigna is a Linux based fully open source monitoring application which checks the availability of network resources and immediately notifies users when something goes down. Icigna provides business intelligence data for in depth analysis and a powerful command line interface.

When you first launch the Icigna web UI, you are prompted for credentials. Once you’ve authenticated, use the navigation menu on the left hand side to manage the configuration of hosts, view the dashboard, reports, see a history of events, and more.

Total Network Monitor continuously monitors hosts and services on the local network, notifying you of any issues that require attention via a detailed report of the problem. The result of each probe is classified using green, red, or black colors to quickly show whether the probe was successful, had a negative result or wasn’t able to complete.

When you launch Total Network Monitor, go to Tools > Scan Wizard to have the wizard scan a specified network range automatically and assign the discovered hosts to a group. Alternatively, create a new group manually to start adding devices/hosts individually.

NetXMS is a multi-platform network management and monitoring system that offers event management, performance monitoring, alerting, reporting and graphing for the entire IT infrastructure model. NetXMS’s main features include support for multiple operating systems and database engines, distributed network monitoring, auto-discovery, and business impact analysis tools, amongst others. NetXMS gives you the option to run a web-based interface or a management console.

Once you login to NetXMS you need to first go to the “Server Configuration” window to change a few settings that are dependent on your network requirements (e.g. changing the number of data collection handlers or enabling network discovery). You can then run the Network Discovery option for NetXMS to automatically discover devices on your network, or add new nodes by right clicking on “Infrastructure Services” and selecting Tools > Create Node.

Xymon is a web-based system – designed to run on Unix-based systems – that allows you to dive deep into the configuration, performance and real-time statistics of your networking environment. It offers monitoring capabilities with historical data, reporting and performance graphs.

Once you’ve installed Xymon, the first place you need to go is the hosts.cfg file to add the hosts that you are going to monitor. Here, you add information such as the host IP address, the network services to be monitored, what URLs to check, and so on.

When you launch the Xymon Web UI, the main page lists the systems and services being monitored by Xymon. Clicking on each system or service allows you to bring up status information about a particular host and then drill down to view specific information such as CPU utilization, memory consumption, RAID status, etc.

WirelessNetView is a lightweight utility (available as a standalone executable or installation package) that monitors the activity of reachable wireless networks and displays information related to them, such as SSID, Signal Quality, MAC Address, Channel Number, Cipher Algorithm, etc.

As soon as you execute WirelessNetView, it automatically populates a list of all reachable Wi-Fi networks in the area and displays information relevant to them (all columns are enabled by default).

Note: Wireless Network Watcher is a small utility that goes hand in hand with WirelessNetView. It scans your wireless network and displays a list of all computers and devices that are currently connected, showing information such as IP adddress, MAC address, computer name and NIC card manufacturer – all of which can be exported to a html/xml/csv/txt file.

Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi connections is displayed in the “Networks” pane. Details related to your current Wi-Fi connection are displayed in the top right hand corner. Everything pretty much happens from the top ribbon bar – you can run a test, change the layout, edit settings, refresh connections, etc.

This list wouldn’t be complete without the ever popular WireShark. WireShark is an interactive network protocol analyzer and capture utility. It provides for in-depth inspection of hundreds of protocols and runs on multiple platforms.

When you launch Wireshark, choose which interface you want to bind to and click the green shark fin icon to get going. Packets will immediately start to be captured. Once you’ve collected what you need, you can export the data to a file for analysis in another application or use the in-built filter to drill down and analyze the captured packets at a deeper level from within Wireshark itself.

Are there any free tools not on this list that you’ve found useful and would like to share with the community? Then leave us a comment below and let us know!

And there’s more! If you’re a sys admin that’s been faced with malware infection, cracked passwords, defaced website, compromised DNS, licensing violations, stolen hardware and other issues which can cause cardiac arrest? We have what you need! Download this free e-book: First Aid Kit for Admins today!

You may also like:

About the Author: Andrew Tabona

Andrew has over 10 years experience in Quality Assurance, Incident Management, and Pre- and Post-Sales Technical Support roles, as well as recent specialization in Digital Forensics and E-Discovery. He has contributed to several blogs and worked on various technical writing projects for multiple organizations, as well as being invited to be a regular guest lecturer and speaker at a top UK university.

Thanks for the range of free tools. I think everybody can choose something from the list, but I have always been surprised and a little bit prejudiced against free tools as I personally believe that if you pay you get a better quality and that is why I am using right now Anturis where you have to pay, but then I am sure of the quality and the support that I can get.

There is one big problem with most of the tools.. they simply don’t scale for large networks. I agree that they all serve their purpose and are often great spot tools (wireshark).. Making sure you know what the end goal is.. or the stated purpose of the tool is the first step to identifying if it will fit the bill. For us Nagios doesn’t work for 35k hosts. Splunk works fine over that many hosts but costs are incremental based on indexed volume. Zenoss is what we are working to replace our aging nagios estate with so it’s nice to see it get a mention.

marykaichini – Thanks for sharing! While I agree that some IT admins prefer to pay for commercial software for peace of mind (knowing that if something goes wrong they can quickly get in touch with someone who will help solve their problem) I have to say that some of the free / open source tools I have come across are of just as good quality as their commercial counterparts (especially for smaller businesses or specific tasks). What’s more is that some third party service providers make a business out of offering support for open source software so there is always the option of using open source / free tools and paying for support as a service if you wanted to. Both have their pros and cons but at the end of the day I think it’s fair to say that making a decision between an open source vs. commercial product depends on a number of factors including company size, budget, business requirements, risk acceptance, reputation of the solution provider, user experience, etc.

Scott Wilkerson – Many thanks! We have updated the article to include a link to the Nagios XI download page as you suggested.

Karan – Unfortunately you didn’t mention why you need to do this (i.e. what the scenario is) or whether you’re looking to change a static or dynamic IP address. I’m going to assume it’s a static IP address you need to change and that you’re doing so because there is an IP address conflict.

A couple of ideas that come to mind are:

1) change the IP address manually from the network interface UI by connecting to the remote node using something like remote desktop or VNC
2) use PsExec (from Microsoft SysInternals) to execute the netsh command remotely
3) connect to the registry of the remote node and change the IP address settings from there

Remember that if the change is successful you will lose connectivity to the remote machine (and when you re-establish connectivity you’ll need to do so using the new IP address). You may also need to reset the network interface (netsh allows you to do this).

Brisson – Thanks for the suggestion! LoriotPro Free Edition looks to be a good free SNMP network management tool for up to 10 IPs.

JImmy Stewpot – Thanks for sharing. Always nice to hear real-world insights about how these tools work for different environments in the field. I agree that most of these tools will not scale to fit environments with nodes of ~35K (as such this list was intended to target SMBs). For such large environments – where people are likely to have bigger budgets – organizations are best going for an enterprise level product or implementing multiple instances of these open source solutions across different sites, for example.

Ian – Thanks for the suggestion! Had not heard of TC Console before; looks interesting.

I am wondering if you can help me. I am looking for a program which will detect a rouge device on the network via packet capture. There is a great utility called AirSnare that did this, but it is plagued with problems;
Will not run on 64-bit systems
Does not run as Windows service
Mail alarm does not include MAC address (variable {MAC} is not parsed)

Hi Kaleem – Unfortunately defining which Network Monitoring tool is the ‘best’ or most ‘user-friendly’ from the above list is very subjective. Everyone will have their own opinion of what they consider the ‘best’ and some users will find some software ‘user-friendly’ whereas others will not. I strongly recommend you evaluate the list in detail to determine which software fits your requirements, create a shortlist and then try out each product to see if it fits your needs. At least a handful of the software mentioned above, or a combination of them, have a “Top X” style reporting feature and allow you to monitor network packets.

Hi Carl – Thanks for the feedback! You might want to take a look at RogueScanner (http://sourceforge.net/projects/roguescanner/) and NetSurveyor (http://nutsaboutnets.com/netsurveyor-wifi-scanner/) – both freeware tools that detect rogue devices. You could also use WireShark to create a filter that excludes all the trusted/authorized MAC addresses on your network – this way, the network traffic that does come up would be worth investigating as it could be from a rogue device.

Hi Kaleem – Unfortunately defining which Network Monitoring tool is the ‘best’ or most ‘user-friendly’ from the above list is very subjective. Everyone will have their own opinion of what they consider the ‘best’ and some users will find some software ‘user-friendly’ whereas others will not. I strongly recommend you evaluate the list in detail to determine which software fits your requirements, create a shortlist and then try out each product to see if it fits your needs. At least a handful of the software mentioned above, or a combination of them, have a “Top X” style reporting feature and allow you to monitor network packets.

Hi Carl – Thanks for the feedback! You might want to take a look at RogueScanner (http://sourceforge.net/projects/roguescanner/) and NetSurveyor (http://nutsaboutnets.com/netsurveyor-wifi-scanner/) – both freeware tools that detect rogue devices. You could also use WireShark to create a filter that excludes all the trusted/authorized MAC addresses on your network – this way, the network traffic that does come up would be worth investigating as it could be from a rogue device.

Because of your list we are not using PRTG and been loving it. Thanks for the help.
If i saw this last year i would say why is PackettrapMSP not on the list but took a big turn over the past year and wouldnt recommend anymore.
Another good tool i found recently is mxalerts.com. It doesnt doesnt do as much as some other tools but very simple and works great. Cheap too.
Few others like it but didnt need all the features. Simple easy tool.

Thanks for the list of Network Monitoring and Analysis tools. I am not a Network expert but a quite experienced IT professional. I am looking for a software that is able to give me visibilty of what is going on in my LAN wifi at home. I have a number of clients registered (N mobiles,2 Media Players, laptops, ipods, etc).
I would like to be able to identify and visually (eg. graphics) monitor the data streams coming in/out from my WIFI router. This will be great for trouble shooting problems including interferences, losses, etc. Before I start closing analysing and trying those 20 options, which ones would you recommend I should start with.
Sorry for the lengthy comment.
Cheers,
Jachson

I am working for an ISP. We are having a backbone network spread over entire country consisting 300+ routers.
Can any one suggest me the best tool for montoring :
1.Backbone links connecting those routers.
2.Those 300+ devices
3.To detect bottle necks or congestion in any link.

Measmalis Mang / Kapti – I recommend you take a look at NetLimiter and InSSIDer. If your router supports QoS you can probably set a few options directly on this to give priority to certain IP/MAC addresses for example.

Edward – I recommend you take a look at BadwidthD and InSSIDer. I would also check your router since it might contain some stats you could export into Excel and plot a graph with.

Jachson – I would take a look at InSSIDer, WireShark, Xirrus Wi-Fi inspector, WirelessNetView, Capsa 7 Free Edition and your router itself. Using all of these combined, I’m sure it will give you the information you need. I would also keep in mind that any statistics you gather can be plotted into a graph using Excel for example.

santosh – I’m afraid I cannot recommend a particular solution for such an environment but I can say that some of the tools recommended above might be able to scale to meet your requirements (especially if you consider the commercial versions or have multiple instances distributed across the network). It may also be worth looking at a commercial SaaS offering.

JC – many thanks! I’m afraid I’m not aware of any such apps/hardware items. What exactly are you trying to achieve though? As in, what’s the issue that’s causing you to want an app/hardware item that does this? As you probably already know, if you simply wanted your IOS device not to connect to a WIFI network automatically you could disable the “Ask to Join Networks” option from Settings > WIFI. You can also tell the IOS device to forget about a specific WIFI network by selecting that WIFI network and choosing “Forget this Network”.

Kumar – the above list has a number of open source / freeware tools available that can monitor 20 clients. You might want to try something like Zenoss Core, Pandora, or NetXMS for example. However, as always I would recommend evaluating a handful of tools to see which one works best for you and suits your business requirements.

Kumar – the above list has a number of open source / freeware tools available that can monitor 20 clients. You might want to try something like Zenoss Core, Pandora, or NetXMS for example. However, as always I would recommend evaluating a handful of tools to see which one works best for you and suits your business requirements.

A new (free!) solution that I’ve been working on for network monitoring is called Happy Apps, monitoring and analysis, without the noise. The issue we’ve heard with some of the alternatives above that there is significant work required in order to configure your systems, and once that is completed, the alerts and notifications sent out become overwhelming, until…..that one critical incident that goes ignored.

I have 300 desktops connected in a LAN, and network bandwidth usage is touching 100% sometimes. I would like to understand, which machine/IP is using the maximum n/w bandwidth. So, that I can analyse the usage pattern.

I understand that, quality comes with price, but I (business) can’t afford to buy a licensed version.

There are a few methods one can use. Basically you have to have access to the whole traffic on your network. Also you did not mention whether the bandwidth issue appears between LAN – Internet or internally between LAN devices. Anyway, you can access the whole Internet traffic by mirroring (port mirroring on Cisco switches) the LAN interface, the one which is connected directly to the WAN port, to a spare port. On the computer connected to that port you can use PRTG (for example) to locate the IP address which is responsible for traffic spikes. If your router is a Cisco device you can also use Netflow which is an easier route to take.

Thanks of your interesting information, Mr. Tabona,
I am new to Zenoss core monitoring tool. I’ve installed it on my CentOS 6.5 and also I’ve done auto-discovery for finding me network’s devices. but I have some problem with devices. would you mind help me about this.
If we can contact in a messaging app like “Google Hangouts” or Skype, I’ll be thankful.
this is my Skype ID(if you prefer Skype): saeidengman
please let me know if I can contact you for help, and how?
Regards,
Saeid

Awesome Blog, Thanks for this useful tools. We know how administrators love these tools that make their life easier so here are some of the another analytic tools for monitoring devices. You can try on this http://www.redsqirl.com/